Build a golden AMI pipeline with Tenable.io available in AWS Marketplace
On December 1, 2019, AWS released EC2 Image Builder, which simplifies the creation, maintenance, validation, sharing, and deployment of Linux or Windows Server images. We now recommend AWS customers use EC2 Image Builder to manage your golden images. You can use the scripts provided in this blog post to create a golden AMI pipeline with Tenable scanning in EC2 Image Builder. Find out more about EC2 Image Builder here, and read this blog post Automate OS image build pipelines with EC2 Image Builder.
The golden AMI model provides consistent hardening of Amazon EC2 instances in AWS environments. Our customers love the scalable, standardized, and best practice way of creating Amazon Machine Images (AMI) using a pipeline that conducts continuous vulnerability assessments. This method uses Amazon Inspector or a third-party scanning tool provided by the AWS Partner Network. In this post, we provide a sample implementation for integrating the golden AMI pipeline with the tenable.io vulnerability scanner from Tenable. Tenable is an AWS Security Competency Partner whose products are available in AWS Marketplace. We based the solution in this post on the initial sample implementation created last year. I modified it to make use of Tenable’s product instead of Amazon Inspector.
Tenable’s vulnerability scanning products are available in AWS Marketplace. The golden AMI pipeline sample configuration is available on GitHub via the Amazon Software License. The repository contains a README guide that includes step-by-step instructions and AWS CloudFormation templates. Those templates enable you to set up a golden AMI pipeline that allows you to create, distribute across accounts, regularly assess, and decommission golden AMIs using Tenable.
Golden AMI pipeline workflow
The golden AMI workflow is as follows:
- Build the golden AMI
- Validate through a manual or automated process
- If approved, either
- Register as active, inspect regularly, and check compliance, or
- Distribute, consume, and decommission when obsolete
- If rejected, decommission.
- If approved, either
Please refer to the original golden AMI blog post for additional context around this implementation.
- Tenable.io must be set up and configured before deploying the golden AMI pipeline. Please refer to the README included with the solution code for details on setting up the Tenable application.
- You must have an AWS account with administrator privileges. Please refer to the AWS document to create an AWS account with an administrator.
Overview of the golden AMI creation process with Tenable
An AWS Systems Manager Document defines the automation steps for creating an initial golden AMI. You can invoke the process in three different ways: an Amazon CloudWatch scheduled event, using a Continuous Integration/Continuous Delivery (CI/CD) pipeline, or manually through AWS Systems Manager. Refer to the following diagram.
The automation steps for this process fall into three broad categories:
- Creating a candidate AMI
- An Amazon EC2 instance is launched using a base AMI specified as a parameter.
- Pre-update scripts, patches, and post-update scripts are run on the Amazon EC2 instance.
- An AMI is created from the Amazon EC2 instance, which becomes the golden AMI candidate. Refer to the following diagram to see the outline of this step.
- Perform a vulnerability assessment on the candidate AMI using Tenable
- Tags are applied to the candidate AMI to denote it as the candidate AMI.
- An Amazon EC2 instance is launched from the candidate AMI.
- A Tenable vulnerability scan is run on the Amazon EC2 instance from the candidate AMI.
- The Tenable assessment report is sent to the golden AMI approver. Refer to the following diagram to see the outline of this step.
- Approval of the new golden AMI
- An SNS notification is sent to the designated golden AMI approver.
- The golden AMI approver reviews the results of the Tenable vulnerability assessment and approves or denies the golden AMI in AWS Systems Manager.
- If the AMI is rejected, a golden AMI is not created. Scripts/patches for the instance can be updated and the process can be run again.
- If the AMI is approved, the candidate AMI ID will be stored in the AWS Systems Manager Parameter Store as the golden AMI ID. Refer to the following diagram to see the outline of this step.
Detailed information on this process is available in Steps 5 and 6 of the deployment guide.
Overview of the continuous vulnerability assessment process with Tenable
These steps comprise the continuous golden AMI vulnerability assessment process.
- A CloudWatch scheduled event triggers the continuous vulnerability assessment. The event runs at a frequency that is specified as a parameter when the golden AMI pipeline is created. This CloudWatch event invokes an AWS Lambda function, which runs the vulnerability assessment on the current version of the golden AMI.
- The AWS Systems Manager Parameter Store reads the list of available golden AMIs.
- Amazon EC2 instances are launched for each golden AMI available.
- Tags are applied to the Amazon EC2 instances created from the golden AMIs to denote them as approved instances launched using a golden AMI.
- An AWS Systems Manager automation document launches for each Amazon EC2 instance created from a golden AMI. This document:
- Runs a vulnerability assessment on the Amazon EC2 instance using Tenable.
- Makes an API call to Tenable to send the vulnerability assessment results to the golden AMI approver.
- Stops the Amazon EC2 instances launched for these assessments.
Detailed information on this process is captured in Step 8 of the deployment guide.
Deploying the sample golden AMI pipeline with Tenable
The golden AMI pipeline with Tenable sample GitHub repository contains sample AWS CloudFormation templates for the golden AMI solution with Tenable. Detailed instructions are in the deployment guide, including:
- How to set up the golden AMI pipeline infrastructure in the master account. If you’re using AWS Organizations, this is not the master payer account. Rather, it’s an account your Cloud Center of Excellence (CCOE) team has identified as the master account.
- How to test your golden AMI pipeline, including:
- Creating a golden AMI version, as a product can have multiple golden AMI versions. You can use either a private AMI, an AMI owned by Amazon, or an AMI based in AWS Marketplace as the source AMI.
- Distributing the golden AMI version to one or more accounts using AWS Lambda and AWS Systems Manager.
- Checking whether non-golden AMIs are launched by flagging them as non-compliant via an AWS Config rule.
- Launching an Amazon EC2 instance from the golden AMI in a governed manner in the child account using AWS Service Catalog.
- Performing continuous vulnerability assessments of all active golden AMIs using tenable.io.
- Decommissioning a golden AMI version.
For details on which operating systems the golden AMI pipeline for Tenable supports, check the support section of the deployment guide.
Out of scope
The golden AMI pipeline doesn’t give you guidance on how to harden the AMI nor which agents or tools to bake into the AMI. The security hardening requirements and hardening-validation scripts are specific to your organization. The golden AMI pipeline provides a framework for managing different aspects of the golden AMI you create and approve.
The pipeline does not give any inputs on whether you should create environment-specific or agnostic golden AMIs. How you inject the environment-specific parameters to create the final AMI is out of the context of this post and the pipeline.
Customers using vulnerability scanners from Tenable have been looking to implement a method for providing a repeatable, scalable, and approved application stack factory. Such a stack factory increases innovation velocity and reduces effort. It also increases the chief information security officer’s (CISO) confidence that IT teams are compliant in their cloud deployments.
In this blog post, I explained how to set up a golden AMI creation pipeline using a combination of AWS services and the tenable.io vulnerability scanner in AWS Marketplace. This provides the benefits of using hardened golden AMIs described in previous blog posts, along with the ability to use Tenable for vulnerability assessments.
If you have questions about implementing the solution described in this post, please contact AWS Support.
Mark Weiler is a Sr. Global Life Sciences Solutions Architect at AWS. He has spent over 20 years working in various technical roles at Healthcare, Life Sciences, and Genomics companies. In his current role, he is responsible for supporting lighthouse Life Sciences customers to architect new applications on AWS. In his free time, he enjoys reading, playing roller hockey, and spending time with his family.
Sagar Khasnis is a Partner Solutions Architect focusing on AWS Marketplace, AWS Service Catalog, and AWS Control Tower. He is passionate about building innovative solutions using AWS services to help customers achieve their business objectives.